The State of Security

A handful of strategic data-center security technologies are
working to help Chief Information Security Officers (CISOs) at federal
agencies keep threats at bay. However, their ability to defend agency
networks would be improved with changes to organizational structures
and the adoption of a risk-management culture.

Federal Chief Information Security Officers (CISO)s are making headway
in the battle for cybersecurity, as protection from threats both
internal and external becomes a top priority across agency leadership.
However, while there are a number of data-center security technologies
that CISOs feel are indispensible for their jobs, these executives also
face organizational challenges and budgetary limits that keep them from
achieving their goals. And because new attacks can spring up at any
time, CISOs must constantly scan the threat horizon and be prepared to
defend their organizations against the unknown.

The CISO PerspectiveTo get a sense for how federal agency CISOs are coping
with threats and other security issues, the International Information
Systems Security Certification Consortium Inc. (ISC)2, Government
Futures, and Cisco conducted a study in 2009 of forty federal agency
and bureau-level CISOs. Called The State of Cybersecurity from the
Federal CISO’s Perspective, the report summarizes how CISOs
feel they are faring in the battle for cybersecurity, and makes some
recommendations for improvement.

In general, survey respondents said they are feeling
“empowered,” since agency management is paying more
attention to cybersecurity than in the past.

“The CISOs’ responses clearly demonstrate that
cybersecurity is evolving in terms of management priority,”
said W. Hord Tipton, executive director of (ISC)2. “Although
CISOs are still facing organizational challenges, we view it as a
positive sign that CISOs feel they are being listened to by senior
management and that their recommendations are, for the most part, being
considered and implemented.”

Still, half of the respondents said while they are making progress to
protect their agencies, they’re still “not getting
ahead of the attackers,” according to the survey. The other
half answered that they believe they are “turning the
corner” in the battle for cybersecurity.

When it comes to top concerns, 48 percent of federal CISOs said they
are most worried by external threats, due to the potential for data
loss and exploits. Tied for second place are insider threats and
software vulnerabilities, at 26 percent each.

Top Five for SecurityAs concern over external threats increases, so does the
dependency that CISOs place on technologies to help them protect their
perimeters, safeguard sensitive information, and prevent unauthorized
access to data and resources. According to the survey, CISOs
highlighted the top five data-center technologies that are most useful
in combating threats:

*
Intrusion detection
systems/intrusion prevention systems

*
Authentication

*Encryption

*Better software

*Quality product testing

Despite the advances in security technology, there are internal issues
that CISOs are grappling with in the fight to protect their networks.
Improving agency governance is another priority among CISOs, which
includes “…getting greater buy-in from agency
leadership, eliminating security stove pipes, developing sound metrics,
improving IT inventory, and implementing a risk management
program,” according to the survey. Compliance is another
concern for respondents; in particular establishing better relations
with the Inspector General in their agencies and achieving
certification and accreditation goals, they said.

On the personnel front, CISOs said that retaining key security staff
has been easier because of the economic crisis. As respondents look
ahead to hiring in the future, they say they will look for candidates
with the right experience, communications skills, professional
certifications, and security clearances.

CISOs responding to the survey say there are a number of changes that
federal agencies could make to how they approach cybersecurity. First,
the emphasis should move from compliance reporting – which
takes a snapshot of compliance levels at a certain point in time
– to risk management and continuous monitoring for threats, since focusing on
defending from attacks should take priority over proving compliance.
The respondents also said that strict security requirements should be
enforced whenever major IT systems are acquired by an
agency.

Cara Garretson is a freelance writer for 1105 Government Information Group’s Custom Media unit. This Snapshot report was commissioned by the Custom Media Group, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors are not guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Custom Media, please email us at GIGCustomMedia@1105govinfo.com